In any industry, you get industry-specific jargon. It’s a sort of verbal shorthand that's used to cover terms that are used a lot. In the security industry, we’re certainly not immune to this. Some of the terms are particularly colorful, given the subject matter we’re dealing with, and the geek-love of pop culture media. I’ll introduce a few of the terms that we’ve been dealing with lately, especially in light of the Flashback malware.
This is a big catchall phrase that covers all sorts of software with nasty intent. Not buggy software, not programs you don’t like, but software which is written with the intent to harm.
This is a specific type of malware that spreads itself once it’s initially run. This is different from other types of malware because it can either be like a parasite that attaches to good files on your machine, or it can be self-contained and search out other machines to infect.
Worms are a kind of virus. Specifically that second kind I just mentioned that searches out other machines to infect.
Do you remember that story you had to read in high school about the big wooden horse that turned out to be full of guys with spears? This is the computer equivalent. You run a file that is supposed to be something fun or important, but it turns out that it’s neither fun nor important, and it’s now doing nasty things to your machine.
Funny thing about software; it’s written by humans. Humans are fallible and sometimes forget to cross Ts and dot Is. When this happens, it creates strange behavior in programs. Sometimes that strange behavior can be used to create a hole which malware could use to get into your machine more easily. The code they use to create that hole is Exploit code, or an Exploit for short.
Picture your computer as a house with one door; that’s the door you use to go in and surf the web, check your email, write documents, or play games. If someone sneaks in and creates a second door, we call that a “backdoor”. This backdoor allows them to come in and access your metaphorical house whenever they want, to do whatever they want. They can add security cameras to watch you, they can steal things, and they can even block numbers on your phone so you can’t call the police to report them. Similarly, with a backdoor Trojan they can capture your keystrokes, or they can steal data on your computer, or they could even redirect your web surfing away from places like security sites.
These two terms are interchangeable. The main mental image here is a thing with no mind of its own, driven by external motives. The hunger for brains, the code of some programmer… Either way, they’ve been stripped of their free will and are doing nasty things. In the malware sense, it’s an infected computer that has been filled with miscreants’ code that's instructing it to do their bidding.
So, what do you call the person who programs and controls bots? A botmaster, of course. This is the person who instructs the bots to go out on their nefarious missions.
When you have a bunch of bots, what do you do with them? Giving each one instructions individually is a royal pain. Instead, it’s much more efficient for a botmaster to instruct bots to go to a central meeting place, where they only have to give instructions once.
- Command & Control Channel:
What do you call this central bot-meeting place? A Command & Control Channel, or a C&C. Infected machines check in to a sort of chat room, and then sit there awaiting instructions.
- Goat Machine/Honeypot:
In order to see what sort of effects malware has on an average user’s machine, malware researchers will set up a lure or bait machine. It’s meant to look (to a casual glance) like an unprotected user’s machine, ripe for the picking. Think back to the scene in Jurassic Park where they’re trying to lure the T Rex with a goat. Or if you’d like a warmer and fuzzier mental image, think about Winnie the Pooh getting his head stuck in the honey jar. That’s what we’re going for here, trapping malware by luring them in with a tasty treat.
A sinkhole, in normal parlance, is a giant hole in the earth. In the malware research sense, it’s meant to conjure a similar mental image, with data being what falls into the hole. It’s a computer that is meant to redirect traffic between infected users’ machines and their intended target. This usually means one of three things. One meaning is that it’s trapping network traffic intended to attack something like a website in order to overwhelm that site so nobody else can access it. Another use is for trapping viruses, when an infected user’s machine is trying to search for other machines to infect. And lastly (and most relevant to Flashback), it can also mean intercepting communications between infected users’ machines and a C&C. Any of these three techniques can be used either to stop the harmful activities, or to analyze their behavior.